Managing the Services

Managing the Containers

Once the networks are up, you may:

• Stop all datahosting containers with $ docker compose down

• List active containers with $ docker container ls

• Safely start, stop, and restart individual containers with $ docker container <container name> start, $ docker container <container name> start, and $ docker container <container name> restart, respectively.

Managing web users

Adding or modifying web users

1. Navigate to the datahosting project root directory.

2. Stop all datahosting containers with $ docker compose down.

3. Open secrets/web-user-config.json in a text editor.

4. Edit or add a new user under the “customer“ list element where “slug“ matches the desired customer’s slug field in daemon/database-config/customer-config.json.

5. Save and exit secrets/web-user-config.json.

6. Restart the containers with $ docker compose up -d.

Removing web users

1. Navigate to the datahosting project root directory.

2. Stop all datahosting containers with $ docker compose down.

3. Open secrets/web-user-config.json in a text editor.

4. Remove the desired user under the “customer“ list element where “slug“ matches the desired customer’s slug field in daemon/database-config/customer-config.json.

5. Save and exit secrets/web-user-config.json.

6. Restart the containers with $ docker compose up -d.

7. Access the database with $ docker exec -it rbr-dhdb-1 mariadb -p datahosting.

8. Enter the root password.

9. Enter > SELECT * FROM user to view all users.

10. Check that the desired user’s customer ID matches the desired customer with > SELECT * FROM customer.

    1. Alternatively, filter the customers by entering > SELECT * FROM customer WHERE customer_id = <customer id>.

11. Enter > DELETE FROM user WHERE (user_id = '<user id>') to delete the desired user.

12. Enter CTRL-D to exit the database interface.

Updating the containers

To update all of the containers:

1. Navigate to the datahosting project root directory.

2. Run $ docker compose pull to pull the requested image from the registry.

3. Run $ docker compose up --force-recreate -d to start the new version.

It is not necessary to update the containers individually.

Using the web host with an NGINX reverse proxy

The reverse proxy should be configured to forward traffic to the open port (80) on the containerized dhdaemon host as defined in docker-compose.yaml as services > <service> > ports > <host port>:<container port>.

The nginx instance used to serve the web interface should not be used as a reverse proxy. Another NGINX instance should be used as a reverse proxy.

Example HTTP-only NGINX reverse-proxy configuration

Place the following in the /etc/nginx/sites-available/ directory, change example.com to your domain name and create a symbolic link to it in the /etc/nginx/sites-enabled/ directory:

upstream rbr-datahosting {
  server        dhweb:80;
}

server {
  listen        80;
  server_name   rbr-data.example.com;

  location / {
    proxy_pass  http://rbr-datahosting;
  }
}

Restart the NGINX reverse proxy and try accessing the RBR datahosting web interface.

Example HTTPS NGINX reverse-proxy configuration with SSL termination

ssl.conf assumes that you have already obtained an SSL certificate and its key and that both are stored in the /etc/ssl/private directory.

If the reverse proxy NGINX server is not already set up for SSL, place the following in the /etc/nginx/ directory:

add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options              SAMEORIGIN;
add_header X-Content-Type-Options       nosniff;
add_header X-XSS-Protection             "1; mode=block";

proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   $scheme;
proxy_set_header    Host                $host;
proxy_set_header    X-Forwarded-Host    $host;
proxy_set_header    X-Forwarded-Port    $server_port;

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve              secp384r1;
ssl_ciphers                 "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256";
ssl_prefer_server_ciphers   on;
ssl_dhparam                 /etc/nginx/dhparams.pem;
ssl_certificate             /etc/ssl/private/fullchain.pem;
ssl_certificate_key         /etc/ssl/private/privkey.pem;
ssl_session_timeout         10m;
ssl_session_cache           shared:SSL:10m;
ssl_session_tickets         off;
ssl_stapling                on;
ssl_stapling_verify         on;

Place the following in the /etc/nginx/sites-available/ directory and create symbolic links to them in the /etc/nginx/sites-enabled/ directory:

upstream rbr-datahosting {
  server        dhweb:80;
}

server {
  listen        443 ssl;
  server_name   rbr-data.example.com;
  
  include       common.conf;
  include       /etc/nginx/ssl.conf;

  location / {
    proxy_pass  http://rbr-datahosting;
    include     common_location.conf;
  }
}

server {
  listen        80;

  server_name   _;

  return 301 https://$host$request_uri;
}

Lastly, run

openssl dhparam -out dhparams.pem 4096

And restart the NGINX reverse proxy.

Additional resources

These reverse proxy examples were modified from a free tutorial at: https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/

Find NGINX’s official documentation at: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/

Find NGINX’s official documentation on running NGINX on Docker at: https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-docker/#running-nginx-open-source-in-a-docker-container